why getOffset always fails?

Sep 3, 2013 at 4:12 AM
Edited Sep 3, 2013 at 4:20 AM
lkd> .sympath
Symbol search path is: srvc:\symbolshttp://msdl.microsoft.com/download/symbols
Expanded Symbol search path is: srvc:\symbolshttp://msdl.microsoft.com/download/symbols

lkd> !pycmd
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
from pykd import *
getOffset("PsLoadedModuleList")
Traceback (most recent call last):
File "<console>", line 1, in <module>
SymbolException: failed to find module for symbol: PsLoadedModuleList


a=module('nt')
print a
Module: nt
Start: ffffffff83c4e000 End: ffffffff84060000 Size: 412000
Image: ntkrpamp.exe
Symbols: not found <-----------no symbol~~~~
Timestamp: 4ec79850

Check Sum: 3cac28

I have set _NT_SYMBOL_PATH, and I also used "pykd.setSymbolPath"
but still failed

my platform is win7 32bit
Sep 3, 2013 at 8:47 AM
1)
try to reload symbols for nt manually in kd/windbg:
kd>!sym noisy
kd>.reload /f nt
kd>lmvm nt

Check output. May be symbols are unavailabale?

2)
There is one trick. I usefull for minidump analysis.
MSFT for win7 has one version of the NT kernel - ntkrnlpa.exe. It can be rename to ntkrpamp.exe, ntkrnlmp.exe or ntoskernl.exe at your system. But symstore has image only for ntkrnlpa.exe. You can copy file C:\symbols\ntkrnlpa.exe\4EC79850412000\ntkrnlpa.exe to C:\symbols\ntkrpamp.exe\4EC79850412000\ntkrpamp.exe. It may help.
Sep 4, 2013 at 3:16 AM
I think my symbol is ok

lkd> lmvm nt
start end module name
804d8000 806d0480 nt (pdb symbols) c:\windows\symbols\ntkrnlpa.pdb\30B5FB31AE7E4ACAABA750AA241FF3311\ntkrnlpa.pdb
Loaded symbol image file: ntkrnlpa.exe
Image path: ntkrnlpa.exe
Image name: ntkrnlpa.exe
Timestamp:        Mon Apr 14 02:31:06 2008 (4802516A)
CheckSum:         002050D3
ImageSize:        001F8480
File version:     5.1.2600.5512
Product version:  5.1.2600.5512
File flags:       0 (Mask 3F)
File OS:          40004 NT Win32
File type:        1.0 App
File date:        00000000.00000000
Translations:     0804.04b0
CompanyName:      Microsoft Corporation
ProductName:      Microsoft(R) Windows(R) Operating System
InternalName:     ntkrnlpa.exe
OriginalFilename: ntkrnlpa.exe
ProductVersion:   5.1.2600.5512
FileVersion:      5.1.2600.5512 (xpsp.080413-2111)
FileDescription:  NT Kernel & System
LegalCopyright:   (C) Microsoft Corporation. All rights reserved.
lkd> ln PsLoadedModuleList
(80554fc0) nt!PsLoadedModuleList | (80554fe0) nt!PsLoadedModuleResource
Exact matches:
nt!PsLoadedModuleList = <no type information>
lkd> !pycmd
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
getOffset("PsLoadedModuleList")
Traceback (most recent call last):
File "<console>", line 1, in <module>
SymbolException: failed to find module for symbol: PsLoadedModuleList
and I tested in a clear xp sp3
Sep 4, 2013 at 9:02 AM
confirmed
issue: 12145

you can use workaraund:
getOffset("nt!PsLoadedModuleList") - work properly

nt = module("nt")
nt.PsLoadedModuleList - work properly
Sep 4, 2013 at 1:20 PM
yet another workaraund:
expr("PsLoadedModuleList")
Sep 5, 2013 at 3:44 AM
I tested

lkd> !pycmd
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
(InteractiveConsole)
getOffset("nt!PsLoadedModuleList")
Traceback (most recent call last):
File "<console>", line 1, in <module>
SymbolException: PsLoadedModuleList is not found

nt = module("nt")
print nt
Module: nt
Start: ffffffff804d8000 End: ffffffff806d0480 Size: 1f8480
Image: ntkrnlpa.exe
Symbols: export symbols
Timestamp: 4802516a
Check Sum: 2050d3

nt.offset( "PsLoadedModuleList")
Traceback (most recent call last):
File "<console>", line 1, in <module>
SymbolException: PsLoadedModuleList is not found
still can't work properly
and following method is ok
print expr('nt!PsLoadedModuleList')
2153074624
Sep 5, 2013 at 7:10 AM
Ok, there are two problems:
1) getOffset does not work properly with public symbol. It can be got round by using "expr" or pointing module name
2) In your last output pykd can not get symbols ( Symbols: export symbols ). This is another problem. Can you upload ntkrnlpa.exe file? I'll try investigate why pykd can not get symbols.
Sep 6, 2013 at 5:54 AM
ok , I have sent it to pykd.codeplex@hotmail.com
Sep 9, 2013 at 6:40 AM
I tried to open the uploaded file as a dump. Pykd found symbols. I'm have no ideas now )))).
Sep 11, 2013 at 3:02 AM
ok, let's just put these problems aside
would you please send the "attachKernel" supported version pykd to me? Thanks~
Sep 11, 2013 at 2:18 PM